Privacy Policy

Draft โ€” for legal review prior to publication

OWNKEY LTD ยท 124-128, City Road, London, EC1V 2NX, United Kingdom ยท www.ownkey.tech

1. Introduction and Scope

This Privacy Policy (the "Policy") explains how OWNKEY LTD ("OWNKEY", "we", "us", "our"), a company registered in England and Wales with its registered office at 124-128, City Road, London, EC1V 2NX, United Kingdom, collects, uses, discloses, and protects personal data in connection with the platform available at www.ownkey.tech and its associated applications (the "Service"). This Policy forms part of, and should be read together with, our Terms of Use.

This Policy applies to prospective, current, and former Users of the Service. It does not apply to information processed by third parties, including our Exchange Provider, Program Manager/BIN Sponsor, banking partners, or blockchain networks, under their own privacy terms, except as described below.

2. Data We Collect

Depending on your use of the Service, we may collect the following categories of personal data:

  • Identification data: full name, date of birth, nationality, government ID documents, photograph/selfie, and similar data collected for KYC/AML purposes;
  • Contact data: email address, phone number, postal address;
  • Financial and transactional data: currency conversion history, card transaction data, source-of-funds information, and related payment metadata;
  • Wallet-related data: public wallet addresses and on-chain transaction data associated with your Account. We do not collect, store, or have access to your private keys or recovery phrase, as the Service is non-custodial;
  • Technical and usage data: IP address, device identifiers, browser type, log data, and analytics regarding your interaction with the Platform;
  • Communications: correspondence with our support team and any information you voluntarily provide to us.

3. Sources of Data

We collect personal data directly from you (e.g., during registration or verification), automatically through your use of the Service (e.g., device and log data), and from third parties, including identity verification providers, our Exchange Provider, our Program Manager/BIN Sponsor, and publicly available blockchain data.

4. How and Why We Use Your Data

We process personal data for the following purposes and on the following legal bases under the UK GDPR and the Data Protection Act 2018:

  • To provide, operate, and maintain the Service โ€” performance of a contract (Art. 6(1)(b) UK GDPR);
  • To perform identity verification and comply with KYC/AML and sanctions-screening obligations โ€” compliance with a legal obligation (Art. 6(1)(c));
  • To process currency conversions via the Exchange Provider and facilitate Card issuance via the Program Manager/BIN Sponsor โ€” performance of a contract (Art. 6(1)(b));
  • To detect, prevent, and investigate fraud, security incidents, and prohibited activity โ€” legitimate interests / legal obligation (Art. 6(1)(c)/(f));
  • To communicate with you regarding your Account, transactions, and updates to our terms and policies โ€” performance of a contract / legitimate interests (Art. 6(1)(b)/(f));
  • To improve the Service and understand usage patterns โ€” legitimate interests (Art. 6(1)(f));
  • Where required, to respond to requests from regulators, law enforcement, or courts โ€” compliance with a legal obligation (Art. 6(1)(c)).

5. Sharing and Disclosure of Data, Including With the Exchange Provider and Program Manager

In order to provide the Service, we share the following categories of personal data with the following Third-Party Providers, solely to the extent necessary for them to perform their respective functions:

  • Exchange Provider: identification data collected for KYC purposes, and transaction data necessary to execute currency conversion instructions;
  • Program Manager / BIN Sponsor and any bank-emitter: identification data collected for KYC purposes, contact data, and transaction data necessary to issue and administer a Card;
  • Identity verification and fraud-prevention service providers acting on our behalf or on behalf of the Exchange Provider/Program Manager;
  • Cloud hosting, analytics, and other technology service providers acting on our behalf;
  • Regulators, law enforcement, or other authorities where required by applicable law or in response to a valid legal request;
  • A successor entity in connection with a merger, acquisition, reorganization, or sale of assets.

The Exchange Provider and the Program Manager/BIN Sponsor each act as an independent controller of the personal data they receive for the purposes of performing their own regulatory functions (including their own KYC/AML obligations), and process such data under their own privacy notices, which will be made available to you at the relevant point in the onboarding or Card issuance process.

We do not sell your personal data to third parties for their own marketing purposes.

6. International Data Transfers

Where our Exchange Provider, Program Manager/BIN Sponsor, or other Third-Party Providers are located outside the United Kingdom, your personal data may be transferred to, and processed in, those jurisdictions. Where such transfers occur, we will ensure appropriate safeguards are in place as required under the UK GDPR, such as an adequacy regulation or UK International Data Transfer Agreement/Addendum with the recipient.

7. Data Retention

We retain personal data for as long as necessary to provide the Service and to comply with our legal obligations, including record-keeping requirements under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended), which generally require retention of KYC records for five years following the end of the business relationship, unless a longer period is required by law. Where data is no longer required, we will securely delete or anonymize it.

8. Your Rights

Under the UK GDPR, you have the right to: access the personal data we hold about you; request correction of inaccurate data; request erasure of your data (subject to our legal retention obligations); object to or restrict certain processing; request portability of your data; and withdraw consent where processing is based on consent. To exercise these rights, please contact us using the details in Section 12. We will respond within the timeframes required by the UK GDPR (generally one month).

Please note that, due to the immutable nature of blockchain technology, public ledger data (such as wallet addresses and transaction history) cannot be deleted, modified, or restricted. Exercising your right to erasure will not result in the removal of data broadcast to the blockchain.

To request deletion of your Account, please email us at tech@ownkey.tech.

9. Data Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration, including encryption in transit, access controls, and monitoring. No system is completely secure, and we cannot guarantee the absolute security of your data.

10. Cookies and Similar Technologies

We and our service providers may use cookies, SDKs, and similar technologies to operate the Platform, remember preferences, and analyze usage. You can control cookies through your browser or device settings; disabling certain cookies may affect the functionality of the Service.

11. Children

The Service is not directed at, and is not intended for use by, individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor without appropriate consent, we will take steps to delete such data.

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified to you through the Platform or by other reasonable means in advance of their effective date. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13. Contact Us and Supervisory Authority

OWNKEY LTD ยท Registered office: 124-128, City Road, London, EC1V 2NX, United Kingdom ยท Website: www.ownkey.tech

If you have questions about this Policy or wish to exercise your data protection rights, please contact us through the channels listed on our website.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom, or via ico.org.uk, if you believe our processing of your personal data infringes applicable law.